Evernote Breach Means 50 Million Password Resets

Cloud-based data storage firm Evernote, which counts 50 million users of its mobile apps for storing video, text, photos and other information, revealed a data security breach on Saturday. Security experts said the breach highlights the risks associated with storing data in the cloud.

The Redwood City, Calif.-based company issued a statement via its blog, urging users to reset their passwords. The firm issued a software update over the weekend that automatically prompts users to change their Evernote account password.

The firm said it "discovered and blocked" suspicious activity on its network that appears to be a coordinated attempt to access the company's restricted corporate network. Evernote called its password encryption implementation "robust," but said resetting passwords was a measure taken as an additional precaution.

"In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost," the company said. "We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed."

Evernote said the passwords were protected by one-way encryption, meaning that they were hashed and salted, a process that makes it more difficult for an attacker to crack. Graham Cluley, a senior technology consultant at Sophos, said in a blog post that more information would be needed to determine exactly how strong the password protection was.

"It's another cautionary tale about the risks which can exist with trusting the cloud to look after your personal information," Cluley said. "Evernote sounds to me like it's another online service that would benefit from providing its users with additional account security, such as two-factor authentication."

Writing in the Internet Storm Center Diary, Scott Fendley, an ISC handler, commended Evernote for how it is handling the breach. It appears that Evernote had been preparing for the eventuality that a security breach would occur and had an incident response plan in place.

"It appears that their security operations were able to detect the incident in a reasonable period of time (within a day)," he wrote. "While there is not much technical information yet, they were able to limit some of the questions about how they stored passwords (one way hash with salting)."

Evernote is the latest in a line of recent data security breaches. Social network Twitter is reportedly implementing two-factor authentication following a breach that may have exposed the personal information of up to 250,000 of its users. The company issued password resets to the affected users on Feb. 1, following a "live attack" detected by its security team.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," said Bob Lord, director of information security at Twitter. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."